Is HelloFax HIPAA Compliant?
HelloFax is HIPAA compliant if covered entities/business associates subscribe to a Dropbox Sign package that supports HIPAA compliance, configure the fax service to comply with the Security Rule, and train authorized members of the workforce on the compliant use of HelloFax. It is also necessary to agree to the terms of the Business Associate Agreement for Dropbox Sign before using the service to send documents containing Protected Health Information.
In January 2019, Dropbox acquired HelloSign – the parent company of HelloFax – in a deal worth a reported $230 million. The HelloFax service was rebranded as Dropbox Fax and, rather than being offered as a standalone service, Dropbox Fax was packaged into a suite of products that includes Dropbox Sign and Dopbox Forms. Although officially now known as Dropbox Fax, some long term users of the service still refer to it as HelloFax.
Is HelloFax HIPAA Compliant?
The HelloFax service is included in three Dropbox Sign packages – “Essentials”, “Standard”, and “Premium”. Only the “Standard” and “Premium” packages have the reporting capabilities required to support HIPAA compliance. The two packages also include an Admin Console (required for assigning user IDs), while the “Premium” package includes capabilities to reduce the administrative overhead such as Single Sign On and multi-team management.
With regards to complying with the Security Rule standards as a business associate of a covered entity, HelloFax is SOC 2 ready, ISO 27001 certified, and ISO 27018 certified. There is also a report available on request related to Security Rule and Breach Notification compliance, while potential customers can request a copy of the Dropbox Sign Business Associate Agreement prior to subscribing to an account in order to review the terms of the Agreement
Configuring the Fax Service
Configuring the fax service to make HelloFax HIPAA compliant is relatively simple. Because of the way in which the system sends and receives digital faxes, system administrators should only need to assign appropriate permissions to members of the workforce (or integrate the SSO capability), ensure the system is configured to disable permanent deletions, and activate the controls for wiping mobile devices when an authorized user leaves their job or changes roles.
In most cases, training authorized members of the workforce to use HelloFax in compliance with HIPAA can be integrated into other HIPAA training sessions. This is because the operation of HelloFax and the precautions members of the workforce have to take (i.e., understanding when the minimum necessary standard applies) are similar to the HIPAA email rules. The only addition training that may be required is if the form signing features are going to be used.
